SophosLabs malware forecast points to rising IoT threats, more ransomware

sophoslabsSophosLabs has released a malware forecast to coincide with the start of RSA Conference 2017.

Typically, our research papers focus on Windows, which has traditionally been the largest battleground. While some of the report does indeed look at Microsoft-specific challenges, we decided to focus more on the increasing malware threats directed at platforms where the risks are often not as well understood, specifically Linux, MacOS and Android devices.
Continue reading

New SophosLabs research: Exploring the popularity and applications of document exploit builder Ancalog

sophoslabsDocument exploitation is a well-known method of distributing malware in the malware community. A common theory for why crooks use booby-trapped documents is that victims can be more easily convinced to open document attachments than executables.

Word, Excel and PDF documents that contain so-called exploits – active booby-traps – have the added trick of not requiring their victims to manually enable macros, as is often the case for VBA downloaders.

The latest technical paper from SophosLabs explores why we’re seeing more document exploitation malware in the wild, and investigates the long-standing popularity of a document exploitation generator called Ancalog, which is widely commercially available.

Continue reading

New SophosLabs research: Cryptomining malware on NAS servers worldwide

sophoslabs-150SophosLabs has just released a research paper on a new way that cybercriminals are distributing malware that makes money by “borrowing” your computer to mine cryptocurrency.

The report by Attila Marosi, Senior Threat Researcher at Sophos, investigates the Mal/Miner-C malware, which criminals are using to mine the cryptocurrency Monero.

In this paper, Marosi examines how Mal/Miner-C quietly infects victims’ computers and communicates with host servers to run mining operations covertly in the background.

Continue reading

Cybercriminals shift their tactics for Microsoft Office document exploitation – SophosLabs research

This latest technical paper from our team in SophosLabs examines the newest techniques being used by cybercriminals to conduct Microsoft Office document exploits.

For four years, the preferred vulnerability for a document exploit attack was CVE-2012-0158, but as this vulnerability has aged out – due to users and administrators updating and patching their systems to remediate it – criminals have had to target new vulnerabilities to keep up their attacks.

SophosLabs has found that criminals using several popular exploit kits, including Microsoft Word Intruder, are now predominantly targeting CVE-2015-1641 and CVE-2015-2545.

Continue reading

“The Word bug that just won’t die”: CVE-2012-0158, the cybercrime gift that keeps on taking…

vawtrak-bankArguably one of the most exploited Microsoft Office vulnerabilities of the last decade, CVE-2012-0158’s longevity is one of constant adaptation. Ever since its disclosure in 2012, this vulnerability has been the attack vector of choice for exploitation by attackers who seek to hijack Microsoft Word or Excel and force these programs to execute malicious code.

In fact, according to SophosLabs research, as late as Q4 2015, CVE-2012-0158 was still used by 48% of exploits specifically targeting Office documents.

In this new research paper, Graham Chantry of SophosLabs provides a deep dive into several exploits found in the wild and how they work using CVE-2012-0158.

Continue reading

SophosLabs: Vawtrak banking malware updated with new targets and innovations

vawtrak-bankA new version of a deceptive banking malware has been responsible for a series of attacks on financial institutions in many countries around the world in the past year, SophosLabs reports in a new research paper.

Vawtrak (also known as NeverQuest and Snifula) has been around for a few years now, yet it continues to thrive as a popular crimeware-as-a-service kit used by a variety of cybercriminal groups.

SophosLabs analysis of what we are simply calling Vawtrak version 2 shows the malware authors have introduced new innovations, while making frequent updates to meet demand and stay ahead of defenses.

Continue reading

Why malware authors keep using the same old Microsoft Office exploits

Office exploitsSophosLabs Principal Malware Researcher Gabor Szappanos has closely studied Microsoft Office exploits for the past few years. We’ve previously covered his investigation of the Microsoft Word Intruder exploit creation kit, and his recent paper exploring the most popular Office exploit kits.

In a new research report, Gabor takes a closer look at the top four Office exploit kits used in the last quarter of 2015. He also reports which exploits were most commonly used in malicious documents, and shows us what families of malware were distributed by the studied samples.

As Gabor explains, malware authors are increasingly attracted to document exploits as the initial entry point for their attacks. The attackers spread their booby-trapped Office documents through phishing emails spammed out to large numbers of random recipients (cybercrime groups), or to a more select list of targets (APT groups).

Notably, the majority of Office exploits malware authors have been using in malicious documents are now several years old. The most popular exploit, CVE-2012-0158, has been around for well over three years now.

Continue reading